Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Reverse engineering a Qualcomm baseband
Guillaume DelugreSogeti / ESEC R&D
guillaume(at)security-labs.org
28C3 - Berlin
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
The baseband world
What is a baseband processor?
The main chipset of your phone
Responsible for handling telecommunications
Directly interfaced to hardware (microphone, speakers, . . . )
Includes stacks for telephony protocols
Smartphones also include an application processor running aseparate OS (e.g. Android, iOS, . . . )
Largest suppliers
Qualcomm (HTC phones, iPhone 4S)
MediaTek
Infineon (iPhone)
G. Delugre Reverse engineering a Qualcomm baseband 2/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
The baseband world
Getting into the baseband world
Hacking phones is something hard to reach
Quite a closed industry
Network side: reading the 3GPP specs is a life achievement
System side: Aside from OsmocomBB, everything is closed
Yet good reasons to look into basebands
Understanding how a phone really works
Very big and old code base, good potential for vulnerabilities
Unlocking
G. Delugre Reverse engineering a Qualcomm baseband 3/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
The baseband world
Exploitation on baseband
Probably not a lot of exploit mitigation techniques
Ralf-Philipp Weinmann reported vulnerabilities in Infineon andQualcomm basebands
But exploitation is almost impossible if you don’t know theenvironment in which you are running
Clear lack of litterature
About this talk
Describe the RTOS used on a Qualcomm baseband
Implementation of a debugger
G. Delugre Reverse engineering a Qualcomm baseband 4/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 5/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Targeted device
G. Delugre Reverse engineering a Qualcomm baseband 6/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Targeted device
Icon 225
USB 3G stick
Qualcomm baseband inside, model MSM6280
Processor ARM926EJ-S (ARMv5)
Two proprietary Qualcomm DSPs (audio & modem)
Evolution
Model dating back to 2008
REX kernel running as OKL4 guest in newer generations
G. Delugre Reverse engineering a Qualcomm baseband 7/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
3G USB stick normal operation mode
The stick emulates a serial line over USB
Communication with the host through standard AT commands
Registers to the cellular network, carries packet data over 3G
G. Delugre Reverse engineering a Qualcomm baseband 8/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
First contact
USB stick entry points
Plugging the stick creates 3 emulated serial ports1 AT commands / packet data (multiplexing mode)2 Packet data (no multiplexing)3 Channel to a Qualcomm diagnostic task
Enabling the diagnostic channel
Directly accessible on the Icon 225 stick
Might need to send the AT command AT$QCDMG on somemodels
G. Delugre Reverse engineering a Qualcomm baseband 9/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
DIAG task protocol
Diagnostic protocol
Undocumented but simple protocol
Partly reversed in ModemManager (libqcdm)
Begin-end markers (0x7e)
One byte for command type
Variable parameters (with escaped 0x7e and 0x7d bytes)
16-bits CRC-CCITT
G. Delugre Reverse engineering a Qualcomm baseband 10/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
DIAG commands
Reading and writing to memory
The diagnostic task seems to support a lot of commands
Some of them offering direct access to memory
Command 0x02 reads a byte in memory
Command 0x05 writes a byte in memory
Dumping the system memory
Dump the primary bootloader at 0xffff0000
Dump the whole system memory from 0
G. Delugre Reverse engineering a Qualcomm baseband 11/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Downloader mode
Downloader mode
Presence of a subset mode with only two commands available
Write data to memoryExecute at address
Access limited to a small hardcoded memory range
Enabled:
through command 58 of the diagnostic modewhen the system crasheson some HTC phones, VolUp+VolDown+Power during boot (5vibrations)
G. Delugre Reverse engineering a Qualcomm baseband 12/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Live memory snapshot
Live memory snapshot
PBL does not check QC-SBL signature (not the caseanymore)
Memory snapshot is 32MB long, entry point at 0x80000
The memory snapshot can be directly analyzed in IDA Pro
System characteristics
MMU maps direct access to physical pages, first 13MB asread-only
All tasks share the same address space
Everything is running in ARM supervisor mode
Presumably compiled with official ARM toolchain, no SSP
ARMv5 does not support XN bit
G. Delugre Reverse engineering a Qualcomm baseband 13/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 14/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX
The Qualcomm RTOS
Qualcomm has developed their own proprietary RT kernel,called REX
Operating system is named AMSS
The system is made of 69 concurrent tasks
Tasks for
Hardware management (USB, USIM, DSPs, GPS. . . )Protocol stacks at each layer (GSM L1, L2, RR, MM. . . )
Necessary reverse engineering
The kernel API
The C library
Softfloat/arithmetic builtins
G. Delugre Reverse engineering a Qualcomm baseband 15/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
System boot
G. Delugre Reverse engineering a Qualcomm baseband 16/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX tasks
REX core tasks
SLEEP: Idle task.
DPC: Routes APCs across tasks.
MAIN: Launches all system tasks, then handles timer events.
DOG: Watchdog. Constantly checks that tasks are alive.
DS: Data Services task. Unified data gathering task for allprotocol layers.
CM: Call Manager task.
PS: Packet-switched Services. Network stacks at upper layers(TCP/IP, PPP. . . )
DIAG: Provides the diagnostic interface.
G. Delugre Reverse engineering a Qualcomm baseband 17/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernelSchedulerIPCMemory management
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 18/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Main fields of the task structure
G. Delugre Reverse engineering a Qualcomm baseband 19/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX scheduler
REX task
All tasks share the same address space, ARM supervisor mode
Double-chained task list, ordered by priority
Context switch
Task context saved on the stackContext switch ⇒ stack switch + restore context
Synchronization
Tasks can wait for a signal (up to 32 signals)
Scheduler support for critical sections
G. Delugre Reverse engineering a Qualcomm baseband 20/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX APC/DPC mechanism
Asynchronous procedure calls
Push a new context on the stack of a task
When the task is scheduled, the call is executed
Original context is then restored
Deferred procedure calls
The task DPC Task is dedicated to dispatch APCs
High priority task
Allows a task to execute code in the context of another task
G. Delugre Reverse engineering a Qualcomm baseband 21/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX Timers
Timers
Tasks can set a specific action to occur at regular interval
Timers are handled by the Main task
Timer lists ordered by deadline
Timer events
Timer actions (non-exclusive)
Send a signal to a taskExecute an APCExecute a direct routine call (main task context)
G. Delugre Reverse engineering a Qualcomm baseband 22/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernelSchedulerIPCMemory management
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 23/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX IPC
Inter-task communication
Tasks primarily communicate through the mean of signals
A task is put into a wait state until the right signal is fired
Common inter-task communication
1 Task A is waiting for data to process
2 Task B pushes data into a shared FIFO queue
3 Task B sends a signal to task A
4 Task A is scheduled, pop and process the data
5 Optionally, task B sends a signal to task A to acknowledge
G. Delugre Reverse engineering a Qualcomm baseband 24/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Data pipes
Pipes
The DS (Data Services) task implements data pipes
Tasks can push and fetch data as a contiguous stream ofmemory
Widely used
DS task seems to gather and route data from many layers intopipesImplementation of sockets
G. Delugre Reverse engineering a Qualcomm baseband 25/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernelSchedulerIPCMemory management
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 26/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
SchedulerIPCMemory management
REX heap
Heap
Heap structure very simple
Chunk metadata: size, free?
Tasks generally use their own separate heap
Presence of a global system heap, almost unused
G. Delugre Reverse engineering a Qualcomm baseband 27/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the baseband
G. Delugre Reverse engineering a Qualcomm baseband 28/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the basebandCode executionBreaking a taskBreakpoints and single-stepDebugger architecture
G. Delugre Reverse engineering a Qualcomm baseband 29/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Code execution
Getting code execution
Since arbitrary reads/writes are possible, code execution iseasily achievable
We want to be able to communicate with our injected code
Either hook an AT commandOr hook a DIAG task command
Preferably hook a DIAG command and execute code in thecontext of the DIAG task
This way we can still debug AT command handlers
Communication with the payload over USB using the DIAGprotocol (reuse of the DIAG task API)
G. Delugre Reverse engineering a Qualcomm baseband 30/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Hooking the DIAG task
G. Delugre Reverse engineering a Qualcomm baseband 31/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the basebandCode executionBreaking a taskBreakpoints and single-stepDebugger architecture
G. Delugre Reverse engineering a Qualcomm baseband 32/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Debugger breaks
Stopping a task
A task should be stopped
when the debugger instructs it to do soafter hitting a breakpoint / exception
The task has to be unscheduled and resumed on-demand
Use the kernel function rex wait to pause the task
The signal must be used only by the debugger
The task is resumed by setting the debug signal(rex set task signals)
The debugger can force a task to stop by sending a DPC
G. Delugre Reverse engineering a Qualcomm baseband 33/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the basebandCode executionBreaking a taskBreakpoints and single-stepDebugger architecture
G. Delugre Reverse engineering a Qualcomm baseband 34/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Single-step on ARM
Single step
ARM has no native support for single-step
Multiple implementations possible for single-stepping
Standard: compute next $pc value, set a BP and continue
⇒ Not multithread safe.
Emulated: emulate the instruction in the thread context.
⇒ Needs a full ARM/Thumb emulator. . .
Displaced: copy the instruction into a separate buffer, set aBP after it and jump on the buffer
⇒ Needs JIT assembler to perform instruction relocation.
Virtualized: Implements separate virtual address space foreach task and uses standard method
⇒ Needs to patch the scheduler
G. Delugre Reverse engineering a Qualcomm baseband 35/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Plan
1 Analysis of a 3G USB stick
2 REX, the Qualcomm real-time kernel
3 Live debugging on the basebandCode executionBreaking a taskBreakpoints and single-stepDebugger architecture
G. Delugre Reverse engineering a Qualcomm baseband 36/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Debugging architecture
Debugger architecture
Proxy to bridge GDB requests and the DIAG protocol
GDB used in non-stop mode (multithread support)
REX tasks are shown as threads to GDB
G. Delugre Reverse engineering a Qualcomm baseband 37/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Demo
Demo
G. Delugre Reverse engineering a Qualcomm baseband 38/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Conclusion
Conclusion
Baseband systems massively used but still poorly known
Icon 225 key uses a non-secure bootloader
Those chips are also nice for code execution and analysis
More recent versions uses a REX/OKL4 hybrid kernel
Interactions with application processor on real phones
G. Delugre Reverse engineering a Qualcomm baseband 39/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Baseband related works
Related talks
R.-P. Weinmann, The Baseband Apocalypse, 27C3
Luis Miras, Baseband playground, Ekoparty 7th edition
On the web
tjworld.net
bb.osmocom.org
G. Delugre Reverse engineering a Qualcomm baseband 40/41
Analysis of a 3G USB stickREX, the Qualcomm real-time kernel
Live debugging on the baseband
Code executionBreaking a taskBreakpoints and single-stepDebugger architecture
Thank you for your attention!
Questions?
G. Delugre Reverse engineering a Qualcomm baseband 41/41